The Investigation Timesuck

investigation_s1 – 2@2x.png

The investigation begins from a single security alert.  

Security analysts face a daunting challenge for each security alert

  • Is this a credible threat? 

  • If so, what is the root cause?

  • What is its scope?

The timeline represents the findings from Ponemon's 2019 Cost of a Breach report illustrating the long average periods of time to recognize, investigate, and remediate a breach.  

Lateral movement, account switching, and simple evasion techniques, escape basic methods for grouping alerts (e.g. from the same host or user)  

The challenge of linking threat activity together is compounded when different analysts triage related alerts


Cloud systems and containers may have changed or no longer exist when the investigation begins, creating impassable gaps to recover attack steps


Spyderbat differs from existing approaches by identifying the causal connections between user sessions, processes, files, network connections, machines and containers into a stateful Operations Plane. This provides the groundwork for attack tracing.  

Spyderbat layers in security context in real-time.  The Spyderbat Security Plane tracks third-party alerts from security controls such as SIEM or SOAR, IaaS security monitoring solutions such as AWS Guard Duty, and with Spyderbat's Flags. Fusing the Security Plane with the Operations Plane highlights causal connections across security activity, highlighting the complete attack path.

Due to Spyderbat’s stateful representation of activities, attack traces follow the actual attack paths even when traversed through hybrid and cloud environments. By seeing systems and containers ‘as they were’ when attack steps took place, Spyderbat establishes accurate and complete attack traces.  

Spyderbat Flags identify uncommon activities or system behaviors, ranging in severity from simple informational steps to truly malicious activity to complement third-party alerts by visually identifing attack steps when automatically grouped together through causal connections. 

Extensible and easy-to-create, Spyderbat Flags are provided by Spyderbat and through community contribution. 

Spyderbat dramatically reduces security investigation time from days to hours by providing security analysts with all causally connected threat activity regardless of whether it is separated by time, systems, users, and other parameters.

© SPYDERBAT, Inc., All Rights Reserved

Follow us to see what happens next
  • Spyderbat LinkedIn
  • Spyderbat Twitter